Mark Misulich wrote:
> Hi,
> I used rkhunter a couple of days ago by running in terminal as root
> "rkhunter -c --sk" and came up with multiple file warnings, including
> that there was a key logger installed. I had no indications of a
Where is the key logger warning? I looked at your report, and didn't
see one.
[...]
> linux-bd31:/home/lxmark # rkhunter -c --sk
> [ Rootkit Hunter version 1.3.2 ]
Output trimmed except for warnings...
> Checking system commands...
>
[...]
> Performing file properties checks
> /usr/bin/groups [ Warning ]
> /usr/bin/ldd [ Warning ]
> /sbin/chkconfig [ Warning ]
> /sbin/ifup [ Warning ]
> Performing system configuration file checks
> Checking if SSH root access is allowed [ Warning ]
This is not necessarily a problem. It's common, especially in servers,
to allow root to log in remotely for purposes of maintenance.
> Performing filesystem checks
> Checking /dev for suspicious file types [ Warning ]
> System checks summary
> =====================
>
> File properties checks...
> Files checked: 135
> Suspect files: 4
This may be because they are scripts. See above. You need to examine
your output log to ascertain exactly what the warning is about.
Also, if you use a package manager like RPM, and tell rkhunter
about it, then it may make some or all of these warnings go away.
> All results have been written to the logfile (/var/log/rkhunter.log)
Look in this file, and see what exactly the warnings mean.
> I am requesting your opinion as to whether this was a spurious
> warning regarding a keylogger. If someone can tell me how to access
> the previous log which showed all the warnings including the
> keylogger warning, I will post that if it is pertinent.
I don't see the mention of a keylogger.
Actually, the system looks pretty clean to me. The four files
/usr/bin/groups, /usr/bin/ldd, /sbin/chkconfig, and /sbin/ifup
are very slightly concerning. As I mentioned, they may simply
be scripts on your system, and informing rkhunter about your
package manager may make those go away.
You also need to look at the report on /dev and see why it
has an unusual file in it. My system has MAKEDEV in it,
which is executable, and I used to get a similar warning
until I told rkhunter about my package manager.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
Oppose globalization and One World Governments like the UN.
This message made from 100% recycled bits.
You have found the bank of Larn.
I speak only for myself, and I am unanimous in that!
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
